Jump to content

protected file download

Derleek

By Derleek
in PHP Coding Help

 Share

Recommended Posts

Derleek Advanced Member

Derleek

Posted
Posted

Hey there php freaks!

 

So I have a really simple question...

 

whats the best way to protect a zip file from being downloaded w/o the user having permission to do so?

 

Here is the solution I have come up with...

 

<?php
if (isset($_POST["username"]) && ($_POST["username"] == "theUsersName") &&
    isset($_POST["password"]) && ($_POST["password"] == "theUsersPass"))
  SendFile();
else
  DisplayLoginPage();
function DisplayLoginPage()
{
?>
<html>
  <head>
    <title>Protected download</title>
  </head>
  <body>
    <h2>Welcome to download area</h2>
    <p> Type username and password to download a file </p>
    <p> Type phpbee for both username and password </p>
    <form action="download.php" method="post">
      Username<br>
      <input type="text" name="username"><br>
      Password<br>
      <input type="password" name="password"><br>
      <input type="hidden" name="login"><br>
      <input type="submit">
      <input type="reset">
    </form>
  </body>
</html>
<?php
}
function SendFile()
{
  $FileName = "filename.zip";
  header("Content-Type: application/x-zip-compressed");
  header("Content-Length: " . filesize($FileName));
  header("Content-Disposition: attachment; filename=\"$FileName\"");
  header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
  $fp = fopen($FileName,"rb");
  fpassthru($fp);
  fclose($fp);
}
?>

 

Just wana make sure this is a valid solution... its kinda important i get this one right the first time... Thanks!

Link to comment
Share on other sites
WolfRage Newbie

WolfRage

Posted
Posted

Change this to:

<?php
$fp = fopen($FileName,"rb");
  fpassthru($fp);
  fclose($fp);
?>

<?php
readfile($FileName);
?>

Other than that you are good. But if your login becomes more complex you will need to improve the authentication portion. Also Make sure your username and Password are solid, because that is your only line of defense in this case.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Since you are downloading the file through a script in the same location as the file and using the actual file name, once someone downloads the file, the location and name is known. That information will allow that file and other similar files (with easy to guess names) in that same location to be directly downloaded without going through your script.

 

You need to store the files in a location that is not directly accessible through a http request. Either place them in a folder that is outside your document root folder (closer to the disk root) or if that option is not available, place the files to be downloaded in a folder that has a .htaccess file that prevents all http access to them (Apache web server only.)

 

Also see this thread http://www.phpfreaks.com/forums/index.php/topic,263415.0.html for a more general purpose way of doing this. The way you have now hard-codes the file name into the script and would be hard to adapt when there are links to more than one file on a page or when you have more than a few files available for download.

Link to comment
Share on other sites
Derleek Advanced Member

Derleek

Posted
  • Author
Posted

Thx PFM.

 

I actually dug that post up and was planning on changing the file directory outside of the root.  I'm actually not sure if I do have the ability to do that though...

 

I'm absolutely unfamiliar with .htaccess, how complex would that be?

Link to comment
Share on other sites
Derleek Advanced Member

Derleek

Posted
  • Author
Posted

hmm. I seem to be missing something PFM

 

I have figured out how to hide the file.  Or even password protect it (.htaccess is pretty cool)

 

But if i have an .htacess file like this...

 

<files photoSet.zip>
order allow,deny
deny from all
</files>

 

It seems to not be recognizable by a simple header redirect.

 

How can i hide the file and only accept a download if the user permission is set to do so?

 

tired and digging the web... I'll post any solutions i find...

Link to comment
Share on other sites
The Little Guy Prolific Member

The Little Guy

Posted
Posted

First, place the file outside the root directory.

 

Second, once the user logs in, read the file like so...

 

Assuming the php file is in the root directory:

session_start();
if($_SESSION['logged']){ // $_SESSION['logged'] this should equal "TRUE" if he/she is logged in
     if(file_exists("../files/myzip.zip")){
          readfile("../files/myzip.zip");
     }
}else{
     echo '<h1>Permission Denied</h1>';
     echo '<p>You must be logged in to download this file</p>';
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.